CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N
EPSS
Percentile
20.1%
A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server’s hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.
Vendor | Product | Version | CPE |
---|---|---|---|
redhat | kroxylicious | - | cpe:2.3:a:redhat:kroxylicious:-:*:*:*:*:*:*:* |
[
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.kroxylicious/kroxylicious-annotations",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
},
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.kroxylicious/kroxylicious-api",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
},
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.kroxylicious/kroxylicious-app",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
},
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.kroxylicious/kroxylicious-app-licenses",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
},
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.kroxylicious/kroxylicious-filter-test-support",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
},
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.kroxylicious/kroxylicious-integration-test-support",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
},
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.kroxylicious/kroxylicious-kms",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
},
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.kroxylicious/kroxylicious-kms-provider-hashicorp-vault",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
},
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.kroxylicious/kroxylicious-kms-provider-hashicorp-vault-test-support",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
},
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.kroxylicious/kroxylicious-kms-provider-kroxylicious-inmemory",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
},
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.kroxylicious/kroxylicious-kms-provider-kroxylicious-inmemory-test-support",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
},
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.kroxylicious/kroxylicious-kms-test-support",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
},
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.kroxylicious/kroxylicious-krpc-plugin",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
},
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.kroxylicious/kroxylicious-multitenant",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
},
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.kroxylicious-kroxylicious-parent",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
},
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.kroxylicious/kroxylicious-record-encryption",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
},
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.kroxylicious/kroxylicious-record-validation",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
},
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.kroxylicious/kroxylicious-runtime",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
},
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.kroxylicious/kroxylicious-sample",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
},
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.kroxylicious/kroxylicious-simple-transform",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
},
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.kroxylicious.testing/testing-api",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
},
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.kroxylicious.testing/testing-impl",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
},
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.kroxylicious.testing/testing-junit5-extension",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
}
]